-
1.发明授权Systems and methods for detecting malicious processes by analyzing process names and process characteristics 有权通过分析过程名称和过程特征来检测恶意进程的系统和方法公开(公告)号:US08176555B1
公开(公告)日:2012-05-08
申请号:US12130812
申请日:2008-05-30
IPC分类号: G06F21/00
CPC分类号: G06F21/566
摘要: A computer-implemented method for detecting a malicious process using file-name heuristics may comprise: 1) identifying a process, 2) identifying a process name for the process, 3) identifying a list of process names for non-malicious processes, and 4) determining, by comparing the process name for the process with the list of process names for non-malicious processes, whether to allow the process to execute. A method for maintaining a database containing information about non-malicious processes is also disclosed. Corresponding systems and computer-readable media are also disclosed.
摘要翻译: 用于使用文件名启发式检测恶意进程的计算机实现的方法可以包括:1)识别进程,2)识别该进程的进程名称,3)识别非恶意进程的进程名称列表,4 )通过将进程的进程名称与非恶意进程的进程名称列表进行比较来确定是否允许进程执行。 还公开了一种维护包含有关非恶意进程信息的数据库的方法。 还公开了相应的系统和计算机可读介质。
-
公开(公告)号:US09183377B1
公开(公告)日:2015-11-10
申请号:US12141736
申请日:2008-06-18
申请人: William E. Sobel , Brian Hernacki , Mark Kennedy
发明人: William E. Sobel , Brian Hernacki , Mark Kennedy
CPC分类号: G06F21/554 , G06F21/55 , G06F2221/034
摘要: A possibly pre-infected system is inspected for the existence of tracked application-specific accounts. In a tracked application-specific account is found, the system is further audited to verify that only authorized processes are using the account and that the authorized account creation application is installed on the host computer system.
摘要翻译: 检查可能的预先感染的系统是否存在跟踪的特定于应用程序的帐户。 在被跟踪的应用程序特定帐户中,系统被进一步审核,以验证只有授权的进程正在使用该帐户,并且授权的帐户创建应用程序安装在主机系统上。
-
公开(公告)号:US07685639B1
公开(公告)日:2010-03-23
申请号:US10881194
申请日:2004-06-29
CPC分类号: H04L63/145 , H04L51/12 , H04L63/20
摘要: An outgoing e-mail manager inserts headers into outgoing e-mail messages originating from at least one source on a computer. Each header includes data concerning the source of the e-mail. An e-mail header manager monitors an e-mail stream, and reads headers inserted into e-mail messages. The e-mail header manager applies a security policy to e-mail messages, responsive to the contents of the inserted headers.
摘要翻译: 传出的电子邮件管理器将标头插入源自计算机上至少一个源的传出电子邮件。 每个标题包括有关电子邮件来源的数据。 电子邮件头管理器监视电子邮件流,并读取插入到电子邮件中的标题。 电子邮件头管理器根据插入的头部的内容对安全策略应用电子邮件消息。
-
公开(公告)号:US07490244B1
公开(公告)日:2009-02-10
申请号:US10941527
申请日:2004-09-14
IPC分类号: H04L9/00
CPC分类号: H04L63/1408 , G06F21/566 , H04L51/12
摘要: Methods, apparatuses, and computer-readable media for preventing the spread of malicious computer code. An embodiment of the inventive method comprises the steps of: identifying (110) a computer application that is data mining an e-mail address; determining (130) whether the computer application associates at least one executable application and the data mined e-mail address with an e-mail message (120); and blocking (140) the transmission of the e-mail message when the e-mail message is associated with the at least one executable application and the data mined e-mail address.
摘要翻译: 用于防止恶意计算机代码扩散的方法,装置和计算机可读介质。 本发明方法的实施例包括以下步骤:识别(110)数据挖掘电子邮件地址的计算机应用程序; 确定(130)计算机应用程序是否将至少一个可执行应用程序和数据挖掘的电子邮件地址与电子邮件消息(120)相关联; 以及当所述电子邮件消息与所述至少一个可执行应用程序和所述数据挖掘的电子邮件地址相关联时,阻止(140)所述电子邮件消息的发送。
-
公开(公告)号:US07565686B1
公开(公告)日:2009-07-21
申请号:US10983374
申请日:2004-11-08
申请人: William E. Sobel , Mark Kennedy
发明人: William E. Sobel , Mark Kennedy
CPC分类号: H04L63/101 , G06F21/51 , G06F21/554
摘要: A late binding code manager prevents the unauthorized loading of late binding code into a process. The late binding code manager detects an attempt to load late binding code into a process's address space. Subsequently, the late binding code manager determines whether a detected attempt to load late binding code into a process's address space is permitted. Responsive to the results of a determination as to whether an attempt to load late binding code into a process's address space is permitted, the late binding code manager executes at least one additional step affecting the loading of the late binding code into the process's address space. Such a step can comprise permitting, blocking or modifying the attempt to load the late binding code.
摘要翻译: 后期绑定代码管理器防止未经授权的后期绑定代码加载到进程中。 后期绑定代码管理器检测到将晚期绑定代码加载到进程的地址空间中的尝试。 随后,后期绑定代码管理器确定是否允许检测到将后期绑定代码加载到进程的地址空间中的尝试。 响应于确定是否允许将晚期绑定代码加载到进程的地址空间的结果,后期绑定代码管理器执行影响后期绑定代码加载到进程的地址空间中的至少一个附加步骤。 这样的步骤可以包括允许,阻止或修改加载后期绑定码的尝试。
-
公开(公告)号:US09135442B1
公开(公告)日:2015-09-15
申请号:US12130827
申请日:2008-05-30
申请人: Mark Kennedy
发明人: Mark Kennedy
CPC分类号: G06F21/563 , G06F9/44589
摘要: A computer-implemented method for detecting an obfuscated executable may include identifying an executable file programmed to execute on a target architecture. The method may also include disassembling a first section of the executable file and determining whether the first section of the executable file comprises a valid instruction. The method may further include determining, based on whether the first section of the executable file comprises a valid instruction, whether the executable file poses a security risk. Various other methods, computer-readable media, and systems are also disclosed.
摘要翻译: 用于检测混淆的可执行程序的计算机实现的方法可以包括识别被编程为在目标架构上执行的可执行文件。 该方法还可以包括拆卸可执行文件的第一部分并确定可执行文件的第一部分是否包括有效指令。 该方法还可以包括基于可执行文件的第一部分是否包括有效指令来确定可执行文件是否构成安全风险。 还公开了各种其它方法,计算机可读介质和系统。
-
7.发明授权公开(公告)号:US08635171B1
公开(公告)日:2014-01-21
申请号:US12542099
申请日:2009-08-17
申请人: Mark Kennedy
发明人: Mark Kennedy
IPC分类号: G06F15/18
CPC分类号: G06K9/6256 , G06F21/55 , G06F21/56
摘要: An exemplary method for reducing false positives produced by heuristics may include: 1) training a heuristic using a set of training data, 2) deploying the heuristic, 3) identifying false positives produced by the heuristic during deployment, and then 4) tuning the heuristic by: a) duplicating at least a portion of the false positives, b) modifying the training data to include the duplicate false positives, and c) re-training the heuristic using the modified training data. Corresponding systems and computer-readable media are also disclosed.
摘要翻译: 用于减少启发式产生的假阳性的示例性方法可以包括:1)使用一组训练数据训练启发式,2)部署启发式,3)识别在部署期间由启发式产生的误报,然后4)调整启发式 通过:a)复制至少一部分假阳性,b)修改训练数据以包括重复的假阳性,以及c)使用修改的训练数据重新训练启发式。 还公开了相应的系统和计算机可读介质。
-
8.发明授权Malware detection efficacy by identifying installation and uninstallation scenarios 有权通过识别安装和卸载方案来检测恶意软件的功能公开(公告)号:US08578345B1
公开(公告)日:2013-11-05
申请号:US12761364
申请日:2010-04-15
CPC分类号: G06F21/566 , G06F21/57
摘要: The launch of an installer or uninstaller is detected. A process lineage tree is created representing the detected launched installer/uninstaller process, and all processes launched directly and indirectly thereby. The detected installer/uninstaller process is represented by the root node in the process lineage tree. Launches of child processes by the installer/uninstaller process and by any subsequently launched child processes are detected. The launched child processes are represented by child nodes in the tree. As long as the installer/uninstaller process represented by the root node in the tree is running, the processes represented by nodes in tree are exempted from anti-malware analysis. The termination of the installer/uninstaller process is detected, after which the processes represented by nodes in the process lineage tree are no longer exempted from anti-malware analysis.
摘要翻译: 检测到启动安装程序或卸载程序。 创建一个进程谱系树,表示检测到的启动的安装程序/卸载程序进程,以及由此直接和间接启动的所有进程。 检测到的安装程序/卸载程序进程由进程谱系树中的根节点表示。 检测到安装程序/卸载程序进程和任何后续启动的子进程启动子进程。 启动的子进程由树中的子节点表示。 只要树中的根节点所表示的安装程序/卸载程序进程正在运行,树中节点所代表的进程将被免除防恶意软件分析。 检测到安装程序/卸载程序进程的终止,之后,进程谱系树中由节点表示的进程不再被免除防恶意软件分析。
-
9.发明授权Systems and methods for identifying an executable file obfuscated by an unknown obfuscator program 有权用于识别由未知混淆器程序模糊的可执行文件的系统和方法公开(公告)号:US08205263B1
公开(公告)日:2012-06-19
申请号:US12335890
申请日:2008-12-16
申请人: Mark Kennedy
发明人: Mark Kennedy
CPC分类号: G06F21/564
摘要: A method for analyzing an unverified executable file within an antivirus engine in order to identify the executable file as being obfuscated by an unknown obfuscator program is described. An unverified executable file comprising obfuscated library strings is received. A list of pre-verified library strings is accessed. A determination is made as to whether the unverified executable file comprises one or more of the pre-verified library strings. The unverified executable file is identified as being obfuscated by an unknown obfuscator program if the file does not comprise one or more of the pre-verified library strings.
摘要翻译: 描述了用于分析防病毒引擎内的未验证可执行文件以便将可执行文件识别为由未知混淆器程序模糊化的方法。 收到包含模糊化库字符串的未验证的可执行文件。 访问预验证的库字符串的列表。 确定未验证的可执行文件是否包括一个或多个预验证的库字符串。 未验证的可执行文件被识别为由未知的混淆器程序模糊,如果该文件不包括一个或多个预验证的库字符串。
-
公开(公告)号:US07934259B1
公开(公告)日:2011-04-26
申请号:US11290235
申请日:2005-11-29
申请人: Mark Kennedy
发明人: Mark Kennedy
CPC分类号: G06F21/554
摘要: A stealth threat detection manager detects stealth threats. The stealth threat detection manager monitors system activities that are vulnerable to being used by stealth threats. Dynamic link libraries are often used by stealth threats, so in some embodiments the stealth threat detection manager monitors for the loading thereof. The stealth threat detection manager detects when a system activity being monitored occurs, and after the occurrence of the activity, determines whether a specific component associated with the activity (e.g., the dynamic link library being loaded) is accessible on the computer. If the component is accessible, the stealth threat detection manager concludes that the component is non-stealthed. On the other hand, if the component is not accessible, the stealth threat detection manager concludes that the component is a stealth threat, and takes appropriate action in response.
摘要翻译: 隐身威胁检测管理员可以侦测隐身威胁。 隐身威胁检测管理员监视易受隐身威胁使用的系统活动。 动态链接库通常由隐身威胁使用,因此在一些实施例中,隐身威胁检测管理器监视其加载。 隐身威胁检测管理器检测何时发生被监视的系统活动,并且在活动发生之后,确定与活动相关联的特定组件(例如,正在加载的动态链接库)是否可在计算机上访问。 如果该组件可访问,隐身威胁检测管理员认为该组件是非窃取的。 另一方面,如果组件无法访问,隐身威胁检测管理员认为该组件是隐身威胁,并采取适当的措施作出响应。
-
-
-
-
-
-
-
-
-
搜索结果
51 条记录 (耗时 0.024 秒)
